As most of you will know, the new GDPR comes into effect across Europe on 25 May 2018, and with it, a lot of possible stress and confusion around who is doing what with our personal data and what businesses need to to do in order to prepare. This is especially poignant after the recent negative publicity about Cambridge Analytica and Facebook etc, using our data for more ‘nefarious’ purposes.
The GDPR applies to ‘personal data’ which means any information relating to you by which you can be directly or indirectly identified from. This definition provides for a wide range of personal identifiers to constitute personal data, including name, National Security / Bank / NHS / Employee identification numbers, location data or online identifier, reflecting changes in technology and the way organisations and social media collects information about you. The GDPR applies to both electronic and ‘hard copy’ manual filing systems .
However in the UK we are relatively lucky, because the GDPR (which is an EU regulation) runs in harmony with the UK’s own Data Protection Act (1998) in keeping your data safe, and ensures that it is used ‘appropriately’ so there’s not actually a huge deal of change that those currently meeting the DPA requirements need, in order to comply with the GDPR.
Basically the GDPR identifies a number of rights that you have as ‘providers’ of data, and they mainly boil down to being able to know exactly who has your data, what data they have, what they will do with it (and they are not allowed to do anything else with it), and how long they plan to keep it. It also identifies your rights to have your data deleted/destroyed, your right to see exactly what data someone holds about you, and your right to have that data be corrected if it’s incorrect etc. All the sort of things that you would expect are already being done by those organisations and companies that you give your personal information to.
The GDPR might seem a bit confusing (especially if you read some of the online resources about GDPR and the scaremongering that seems to be happening – mainly from organisations selling GDPR compliance to businesses) but it’s not.
Have a look at what’s there (I would strongly recommend the Information Commissionar’s Office (www.ico.org.uk) for those in the UK and if you still have any questions, then there are lots of organisations out there that you can ask for some clarification.